Tutorial: Bypassing Broadcast Key Rotation in WPA Migration Mode

Introduction

This tutorial walks you through cracking WPA Migration Mode with Broadcast Key Rotation enabled. It assumes you have a working wireless card with drivers already patched for injection.

WPA Migration Mode is a configuration setting supported by Cisco Aironet access points (IOS Releases 12.2(11)JA and later), which enables both WPA and WEP clients to associate to an access point using the same Service Set Identifier (SSID).

Broadcast Key Rotation is a security feature offered by Cisco Aironet access points that “significantly improves the security of key-management capable clients when there are no static-WEP clients associated to the access point”.

According to the documentation, with Broadcast Key Rotation “the access point generates and distributes a dynamic group key when the last non-key management (static WEP) client disassociates, and it distributes the statically configured WEP key when the first non-key management (static WEP) client authenticates.”

It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.

I would like to acknowledge and thank the Aircrack-ng team for producing such a great robust tool, and darkAudax for writing the tutorials which we used as a basis.

Assumptions

First, this solution assumes:

You are using drivers patched for injection. Use the injection test to confirm your card can inject prior to proceeding.

You are physically close enough to send and receive access point packets. Remember that just because you can receive packets from the access point does not mean you will be able to transmit packets to the AP. The wireless card strength is typically less then the AP strength. So you have to be physically close enough for your transmitted packets to reach and be received by the AP. You should confirm that you can communicate with the specific AP by following these instructions.

You are using v1.2 of aircrack-ng, as this attack is only supported in this version and later.

Ensure all of the above assumptions are true; otherwise the advice that follows will not work. In the examples below, you will need to change “wlan0” to the interface name which is specific to your wireless card.

Equipment used

In this tutorial, here is what was used:

MAC address of PC running aircrack-ng suite: 00:1f:3c:4e:88:46

BSSID (MAC address of access point): 00:26:0B:2A:BA:40

ESSID (Wireless network name): migrate

Access point channel: 8

Wireless interface: wlan0

You should gather the equivalent information for the network you will be working on. Then just change the values in the examples below to the specific network.

Solution

Solution Overview

To bypass Broadcast Key Rotation, fake authentication as a WEP client must be carried out to force the access point to switch back to using the static WEP key to encrypt broadcast traffic.

Once we Broadcast Key Rotation has been bypassed, the standard attack against an access point configured in WPA Migration Mode can be carried out.

Here are the basic steps we will be going through:

Start the wireless interface in monitor mode on the specific AP channel

Step 1 - Start the wireless interface in monitor mode on AP channel

The purpose of this step is to put your card into what is called monitor mode. Monitor mode is mode whereby your card can listen to every packet in the air. Normally your card will only “hear” packets addressed to you. By hearing every packet, we can later select some for injection. As well, only (there are some rare exceptions) monitor mode allows you to inject packets.

Enter the following command to start the wireless card on channel 8 in monitor mode:

# airmon-ng start wlan0 8

Substitute the channel number that your AP runs on for “8” in the command above. This is important. You must have your wireless card locked to the AP channel for the following steps in this tutorial to work correctly.

In the response above, you can see that mon0 is in monitor mode, on the 2.447GHz frequency which is channel 8 and the Access Point shows the MAC address of your wireless card. Please note that only the madwifi-ng drivers show the MAC address of your wireless card, the other drivers do not do this. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.

Step 2 - Use aireplay-ng to do a fake authentication with the access point

In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “deauthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets.

When a static WEP station associates to the access point in WPA Migration Mode with Broadcast Key Rotation enabled, the access points falls back to using the static WEP key to encrypt broadcast traffic, as the WEP station only has this key set and must be able to decrypt broadcast traffic forwarded by the access point.